FTP Security on VPS and Reseller Accounts

We are aware that a number of reseller hosting and VPS hosting accounts are also being affected by unauthorised FTP uploads. On our shared hosting accounts where we know what domains have been created and can alter these directly from our systems, with the reseller and vps accounts we cannot do this directly.

We can however offer you a method to restrict FTP access to a certain IP address or a subset of IP addresses.

The first thing to do is to determine your own IP address – one of the easiest ways of doing this is to visit http://www.whatismyip.com/. At the top of the page it will say ‘Your IP Address Is: 1.2.3.4’

If you are on a static IP then this is all that you need to do, if however you are on a dynamically assigned IP address, your IP will change on a regular basis and therefore you will need to know the IPs that you could possibly be assigned. While you are still on the http://www.whatismyip.com/ site if you look at the left you will see a link marked ‘IP WHOIS Lookup’ click this followed by the button ‘Whois Lookup’. The screen will now show a lot more information regarding your IP address.

In the output on this screen you should see something like this:

inetnum : 1.2.3.0 – 1.2.7.255

This is the range of IPs that you could be assigned.

Now that we have the possible range of IPs this is how to proceed.

In a text editor on your computer create a file named ‘.ftpaccess’ (note the . ‘dot’ at the beginning of this)

The contents of this file will be as follows if you have a static IP address:

<Limit ALL>
DenyALL
Allow 127.0.0.1
Allow 1.2.3.4
</Limit>

The Allow 127.0.0.1 is left there as a backup to enable you to access this via filemanger in siteadmin should you need to.

If you are on a dynamically assigned IP then you will need to allow some ranges. Based on our example inetnum output above our file would look like this:

<Limit ALL>
DenyALL
Allow 127.0.0.1
Allow 1.2.3.
Allow 1.2.4.
Allow 1.2.5.
Allow 1.2.6.
Allow 1.2.7.
</Limit>

Now simply upload this file to the httpdocs, httpsdocs and cgi-bin folders. This will stop anyone bar the named IP ranges from being able to access these key folders. You can also do the same with webusers and subdomains if you use these.

This change will not stop blocks on SFTP or SCP so if you only use these protocols you could use a file with the following:

<Limit ALL>
DenyALL
</Limit>

This would then stop any FTP access from being allowed to your site. Please do contact our client Service and Support Department with any questions or comments on this important security measure.